Microsoft is altering how companies arrange new Home windows 11 gadgets. Beginning in September 2025, eligible enterprise and training prospects will get the most recent high quality updates throughout the Home windows out-of-box expertise (OOBE) earlier than the primary login.
The corporate says the transfer is supposed to enhance safety and stability from the very starting, chopping down on the variety of updates required after deployment.
The way it will work
On the ultimate web page of OOBE, the gadget will now verify Home windows Replace and set up any accessible high quality updates. Meaning the system ought to already be patched with the newest bug fixes and enhancements when the person indicators in for the primary time.
“You may preserve seamless management over high quality replace conduct throughout provisioning, whereas making certain alignment with organizational safety and compliance necessities,” Microsoft wIf rote in its official announcement.
This new default won’t have an effect on unmanaged client gadgets. It applies solely to Microsoft Entra-joined or hybrid-joined PCs operating Home windows 11 model 22H2 or later and managed by way of Intune or supported cellular gadget administration (MDM) options with an Autopilot Enrollment Standing Web page (ESP) profile.
IT directors can handle the method from the Intune admin heart by going to Gadgets | Enrollment | Enrollment Standing Web page after which adjusting the brand new setting Set up Home windows High quality Updates (May Restart The Machine).”
New ESP profiles can have the choice turned on by default, whereas present profiles will stay set to No till modified.
A trade-off: Longer setup for higher safety
Though the brand new system provides directors extra flexibility, it comes with situations. If a tool is just not assigned an ESP profile, the updates will set up robotically and can’t be disabled. This implies organizations counting on Autopilot gadget preparation insurance policies might discover the updates enforced by default.
The updates additionally respect pause and deferral guidelines if these settings are correctly configured in Replace Rings and assigned to the identical group because the ESP profile. With out this alignment, Microsoft warns that settings might not all the time apply persistently.
For IT groups, the change reduces the burden of patching gadgets instantly after rollout, making certain that techniques are compliant and safe from day one. Customers might discover an extended setup time, with some stories suggesting OOBE may now take as much as 20 minutes earlier than reaching the desktop.
Trade observers level out that, whereas the function strengthens safety, it additionally tightens Microsoft’s management over how updates are delivered, which has been a long-standing concern amongst enterprise directors.
At Black Hat 2025, Microsoft revealed how its safety groups work in actual time to outpace hackers and cease assaults earlier than they escalate.
